Tested Versions

Product URLs

CVSSv3 Score

8.8 - CVSS:3.0/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H

CWE

CWE-787: Out-of-bounds Write

Details

This vulnerability is present in the Antenna House Office Server Document Converter, which is used as a document converter in many server enterprise solutions.
It can convert common formats, such as Microsoft's document formats into more usable and easily viewed formats.
There is a vulnerability in the conversion process of a PowerPoint (PPT) to PDF, JPEG and several other formats. A specially crafted PowerPoint (PPT) file can lead to heap corruption and remote code execution.
Let’s investigate this vulnerability. After we attempt to convert a malicious PowerPoint using the OSDC library, we see the following state:

As we can see, a heap-based buffer overflow appeared during the memcpy operation.

Looking at call stacks, we can see that the overflowed buffer has been allocated during operations related with the TxMasterStyleAtom record.
Further investigation revealed that 0x110 is indeed the TxMasterStyleAtom record size. Next, let's debug the OleCompNS::AHOleCompStream::OLEread method during parsing of the SlidePersistAtom record.
Pseudo code for the function looks as follows:

The _amount argument is set to the SlidePersistAtom record size. In our case, this is 0xff000014. StreamSize is the size of Compound File Directory Entry, in this case PowerPoint Document with value 0xF97.
As we can see at line 8-9 if _amount is bigger than streamSize, the _amount argument is set with result of the subtraction of streamSize and seek_pos which equals the current record offset.
Next, inside the while loop, data is read from a file into the buffer in the amount equal to the value of the _amount argument.
A heap-based buffer overflow can occur in two scenarios:
- When the _amount argument is bigger than previously allocated space for the buffer, but smaller than streamSize
and
- When _amount is bigger than streamSize, but the result of the subtraction of streamSize and seek_pos (the current record offset) is bigger than previously allocated buffer.
Both critical scenarios lead to heap memory corruption and give an attacker a possibility to remotely execute arbitrary code.